================================================================== BUG: KASAN: slab-out-of-bounds in memset include/linux/fortify-string.h:209 [inline] BUG: KASAN: slab-out-of-bounds in vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:226 [inline] BUG: KASAN: slab-out-of-bounds in vmk80xx_auto_attach+0x136e/0x19c0 drivers/comedi/drivers/vmk80xx.c:818 Write of size 296 at addr ffff888021582500 by task kworker/0:4/3653 CPU: 0 PID: 3653 Comm: kworker/0:4 Not tainted 5.17.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memset+0x20/0x40 mm/kasan/shadow.c:44 memset include/linux/fortify-string.h:209 [inline] vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:226 [inline] vmk80xx_auto_attach+0x136e/0x19c0 drivers/comedi/drivers/vmk80xx.c:818 comedi_auto_config+0x138/0x1e0 drivers/comedi/drivers.c:1066 usb_probe_interface+0x274/0x6a0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x1c2/0xb60 drivers/base/dd.c:596 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:755 driver_probe_device+0x44/0x110 drivers/base/dd.c:785 __device_attach_driver+0x185/0x250 drivers/base/dd.c:902 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427 __device_attach+0x1db/0x410 drivers/base/dd.c:973 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487 device_add+0x9ca/0x1b10 drivers/base/core.c:3405 usb_set_configuration+0xa66/0x18b0 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0x74/0xa0 drivers/usb/core/generic.c:238 usb_probe_device+0x95/0x240 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x1c2/0xb60 drivers/base/dd.c:596 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:755 driver_probe_device+0x44/0x110 drivers/base/dd.c:785 __device_attach_driver+0x185/0x250 drivers/base/dd.c:902 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427 __device_attach+0x1db/0x410 drivers/base/dd.c:973 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487 device_add+0x9ca/0x1b10 drivers/base/core.c:3405 usb_new_device.cold+0x5cf/0xee8 drivers/usb/core/hub.c:2566 hub_port_connect drivers/usb/core/hub.c:5358 [inline] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline] port_event drivers/usb/core/hub.c:5660 [inline] hub_event+0x1ba2/0x3930 drivers/usb/core/hub.c:5742 process_one_work+0x879/0x1410 kernel/workqueue.c:2307 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454 kthread+0x299/0x340 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 3653: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc include/linux/slab.h:586 [inline] kzalloc include/linux/slab.h:714 [inline] vmk80xx_alloc_usb_buffers drivers/comedi/drivers/vmk80xx.c:688 [inline] vmk80xx_auto_attach+0x782/0x19c0 drivers/comedi/drivers/vmk80xx.c:811 comedi_auto_config+0x138/0x1e0 drivers/comedi/drivers.c:1066 usb_probe_interface+0x274/0x6a0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x1c2/0xb60 drivers/base/dd.c:596 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:755 driver_probe_device+0x44/0x110 drivers/base/dd.c:785 __device_attach_driver+0x185/0x250 drivers/base/dd.c:902 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427 __device_attach+0x1db/0x410 drivers/base/dd.c:973 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487 device_add+0x9ca/0x1b10 drivers/base/core.c:3405 usb_set_configuration+0xa66/0x18b0 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0x74/0xa0 drivers/usb/core/generic.c:238 usb_probe_device+0x95/0x240 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x1c2/0xb60 drivers/base/dd.c:596 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:755 driver_probe_device+0x44/0x110 drivers/base/dd.c:785 __device_attach_driver+0x185/0x250 drivers/base/dd.c:902 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427 __device_attach+0x1db/0x410 drivers/base/dd.c:973 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487 device_add+0x9ca/0x1b10 drivers/base/core.c:3405 usb_new_device.cold+0x5cf/0xee8 drivers/usb/core/hub.c:2566 hub_port_connect drivers/usb/core/hub.c:5358 [inline] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline] port_event drivers/usb/core/hub.c:5660 [inline] hub_event+0x1ba2/0x3930 drivers/usb/core/hub.c:5742 process_one_work+0x879/0x1410 kernel/workqueue.c:2307 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454 kthread+0x299/0x340 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff888021582500 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888021582500, ffff888021582540) The buggy address belongs to the page: page:ffffea0000856080 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888021582080 pfn:0x21582 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0001c12fc0 dead000000000005 ffff88800fc41640 raw: ffff888021582080 000000008020001f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1115, ts 5619501557, free_ts 0 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa6f/0x2f10 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x27f/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0xbe3/0x12a0 mm/slub.c:3018 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] kmem_cache_alloc_node_trace+0x185/0x420 mm/slub.c:3280 kmalloc_node include/linux/slab.h:599 [inline] kzalloc_node include/linux/slab.h:725 [inline] __get_vm_area_node.constprop.0+0x9b/0x300 mm/vmalloc.c:2429 __vmalloc_node_range+0x124/0xd60 mm/vmalloc.c:3092 alloc_thread_stack_node kernel/fork.c:245 [inline] dup_task_struct kernel/fork.c:887 [inline] copy_process+0x720/0x6880 kernel/fork.c:1998 kernel_clone+0xb8/0x7f0 kernel/fork.c:2565 kernel_thread+0xa3/0xe0 kernel/fork.c:2617 call_usermodehelper_exec_work kernel/umh.c:174 [inline] call_usermodehelper_exec_work+0xa4/0x140 kernel/umh.c:160 process_one_work+0x879/0x1410 kernel/workqueue.c:2307 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454 kthread+0x299/0x340 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 page_owner free stack trace missing Memory state around the buggy address: ffff888021582400: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ffff888021582480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff888021582500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff888021582580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888021582600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ==================================================================